China has passed its data protection law named the Personal Information Protection Law (PIPL) that came into effect on November 1, 2021. The PIPL is comparatively more strict than other privacy laws. However, it does have several similarities to the GDPR.
PIPL is going to have a great impact on organizations because of its extraterritorial application, strict compliance requirements, and hefty fines. Most of the organizations already have privacy policies and effective privacy management practices in place to ensure compliance with the GDPR. However, these existing policies won’t be fully able to address the compliance requirements required under the PIPL. Organizations should begin reviewing their policies and practices in preparation for complying with the PIPL (effective from November 1st, 2021). We have compiled a checklist of key requirements under China’s PIPL:
1. Identify whether your organization needs to have a dedicated entity or a representative within the borders of China:
China’s PIPL extends its territorial scope to the processing of personal information conducted outside of China, provided that the purpose of the processing is:
(i) To provide products or services to individuals in China, or
(ii) To “analyze” or “assess" the behavior of individuals in China, or
(iii) For other purposes to be specified by laws and regulations.
So if you are an offshore organization that is processing the personal data of Chinese residents for the purpose of providing services or products, or for analyzing and assessing their behavior, you must establish a “dedicated office” or appoint a “designated representative” in China for personal information protection purposes, and also file the information of the entity or the representative with competent government authorities.
2. Identify the lawful basis for collection and use of all personal information:
Under the PIPL, organizations can process personal information only on a lawful basis. PIPL provides seven lawful basis for the processing of personal information. Please find these lawful basis here and ensure that your organization relies on one of these basis for the processing of personal information. Your organization’s processing activities should have a clear and reasonable purpose and shall be directly related to the processing purpose. Please note that, unlike the GDPR, “legitimate interest” is not a recognized lawful basis under the PIPL.
3. Provide individuals the right to withdraw their consent to the processing of their personal information:
Where your organization relies on consent as a lawful basis of processing, you must provide a convenient mechanism for individuals to withdraw their consent. You should not refuse to provide services to individuals who don’t agree to have their data processed, unless that data is necessary for the provision of that product or service.
4. Provide privacy notices to individuals before the processing activities:
PIPL requires organizations to provide an explicit privacy notice to individuals in a clear and easily understood language before the processing of their personal information. Your privacy notice should include the following information:
- The name or personal name and contact method of the data controller;
- The purpose of personal information processing and the processing methods, the categories of processed personal information, and the retention period;
- Methods and procedures for individuals to exercise the rights provided in the PIPL;
- Other items that laws or administrative regulations provide shall be notified.
If your organization notifies individuals through the method of formulating personal information processing rules, then you should make these processing rules public and convenient to read and store.
5. Have data subject requests mechanisms to fulfill data subjects rights:
PIPL provides individuals with several data subjects rights (i.e, access, rectification, limit, deletion, etc.), and mandates that organizations should establish convenient mechanisms to accept and process requests from individuals to exercise their rights. Therefore, your organization should have an automated data subject requests mechanism.
6. Have a security breach response and notification mechanism in place:
PIPL requires that in the event of a security breach, organizations should take “immediate” remediation actions and notify the relevant agencies and affected individuals. You should have a clear security breach response plan and tools in place to ensure compliance with the breach notifications.
7. Assess the need to conduct a Personal Information Impact Assessment:
Your organization must conduct a Personal Information Impact Assessment if you are conducting processing in one of the following scenarios:
- Processing sensitive personal information; or
- Using personal information to conduct automated decision-making; or
- Entrusting personal information processing, or providing personal information to other data controllers, or disclosing personal information; or
- Providing personal information abroad; or
- Other personal information processing activities with a major impact on individuals.
8. Implement data classifications and management mechanisms:
Under the PIPL, organizations are required to formulate internal management structures and operating rules and implement data classification and management mechanisms. This requirement aligns with the new data classification obligations under China’s Data Security Law. Therefore, your organization should have data classification and management mechanisms in place in accordance with categories of personal information that you process.
9. Fulfill cross border data transfer obligations:
If your organization is involved in cross-border data transfers with China, you must oblige with these strict requirements. You must provide notices to individuals explaining the details of the transfer, and obtain their specific consent for the transfer of their personal information. You must also meet one of the following conditions:
- Pass a security assessment organized by the State cybersecurity and informatization department (related to operators of Critical Information Infrastructure and organizations that transfer a large volume of personal information);
- Undergo a personal information protection certification conducted by a specialized body according to provisions by the State cybersecurity and informatization department;
- Conclude a contract with the foreign receiving side in accordance with a standard contract formulated by the cyberspace and informatization department, agreeing upon the rights and responsibilities of both sides;
- Other conditions are provided in laws or administrative regulations or by the State cybersecurity and informatization department.
If you process a large volume of personal information or categorize yourself as a critical information infrastructure operator, then you must fulfill the data localization requirements of the PIPL.
10. Conclude data processing agreements with third parties processors:
If you are engaging third parties for your processing activities, you must ensure that you conclude an agreement with the third parties on the purpose for processing, the time limit, the processing method, categories of personal information, protection measures, as well as the rights and duties of both sides, etc., and conduct supervision of the personal information processing activities of the third parties.
Securiti helps organizations automate their privacy management operations using artificial intelligence and robotic automation. Request a demo and start your PIPL compliance process today.